Skip to content

DET0120 Account Access Removal via Multi-Platform Audit Correlation

Item Value
ID DET0120
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1531 (Account Access Removal)

Analytics

Windows

AN0334

Correlated user account modification (reset, disable, deletion) events with anomalous process lineage (e.g., PowerShell or net.exe from an interactive session), especially outside of IT admin change windows or by non-admin users.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) WinEventLog:Security EventCode=4723, 4724, 4740
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
UserContext Account performing the operation (e.g., Domain Admins vs. local users)
TimeWindow Alert only on actions outside of maintenance windows
ParentProcessName Detect suspicious process lineage (e.g., powershell.exe launching net.exe)

Linux

AN0335

Password changes or account deletions via ‘passwd’, ‘userdel’, or ‘chage’ preceded by interactive shell or remote command execution from non-privileged accounts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL SYSCALL record where exe contains passwd/userdel/chage and auid != root
User Account Authentication (DC0002) NSM:Connections Accepted password or publickey for user from remote IP
Mutable Elements
Field Description
ExecPath Binary path for passwd or userdel, which may vary by distro
NonRootUIDThreshold Alert only if auid != root or expected service account

macOS

AN0336

Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog command includes dscl . delete or sysadminctl –deleteUser
User Account Authentication (DC0002) macos:unifiedlog successful sudo or authentication for account not normally associated with admin actions
Mutable Elements
Field Description
CommandLinePattern Allow variation in dscl/sysadminctl command structure
AnomalousUserFlag Detect new or rarely seen users performing user removal

ESXi

AN0337

Invocation of esxcli ‘system account remove’ from vCLI, SSH, or vSphere API with anomalous user access or outside maintenance windows.

Log Sources
Data Component Name Channel
User Account Deletion (DC0009) esxi:hostd method=RemoveUser or esxcli system account remove invocation
User Account Authentication (DC0002) esxi:vpxa user login from unexpected IP or non-admin user role
Mutable Elements
Field Description
RemoteUserRole ESXi role triggering the change (e.g., Administrator vs. Viewer)
ExpectedIPs IP ranges authorized to conduct admin-level actions

Office Suite

AN0338

O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass.

Log Sources
Data Component Name Channel
User Account Deletion (DC0009) m365:unified Remove-Mailbox, Set-Mailbox
User Account Authentication (DC0002) m365:signinlogs Sign-in from anomalous location or impossible travel condition
Mutable Elements
Field Description
RoleAssignment Determine if operation was delegated to expected admin group
GeoThreshold Trigger on unusual geographic login sources

SaaS

AN0339

Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) saas:okta user.lifecycle.delete, user.account.lock
Mutable Elements
Field Description
BulkActionThreshold Trigger if multiple deletions occur within a short period
SessionDeviceType Alert on deletions initiated from unfamiliar device contexts